<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    
<?php 
$layout = explode('&&&', file_get_contents('layout.html'));
echo $layout[0];

session_start();
if (!(isset($_SESSION['username'])))
	header("location:login.php");
else if (!(isset($_SESSION['level'])) || $_SESSION['level']==0)
	header("location:AccessDenied.php");
?>

<html>
<style type="text/css">
<!--
.style1 {color: #FF0000}
-->
</style>
<body>

<!-- Begin Main Column -->

<div id="mainContent">
	
	<h2>Add a User</h2>
    <p></p>
    Note: Required fields denoted with an asterisk(*)
		<form id="form1" method="post" action="AddUser.php">
	  <table width="392" border="0">
        <tr>
          <td width="178">First Name:</td>
          <td width="204"><label>
            <input type="text" name="first_name" id="first_name" value ="<?php echo $_POST['first_name'] ?>" />
          </label></td>
        </tr>
        <tr>
          <td>Last Name:</td>
          <td><label>
            <input type="text" name="last_name" id="last_name" value ="<?php echo $_POST['last_name'] ?>" />
          </label></td>
        </tr>
        <tr>
          <td>* User ID:</td>
          <td><label>
            <input type="text" name="user_id" id="user_id" value ="<?php echo $_POST['user_id'] ?>" />
          </label></td>
        </tr>
        <tr>
          <td>* Password:</td>
          <td><label>
            <input type="password" name="password" id="password" />
          </label></td>
        </tr>
        <tr>
          <td>* Confirm Password:</td>
          <td><label>
            <input type="password" name="password_confirm" id="password_confirm" />
          </label></td>
        </tr>
        <tr>
          <td>* Email:</td>
          <td><label>
            <input type="text" name="email" id="email" value ="<?php echo $_POST['email'] ?>" />
          </label></td>
        </tr>
        <tr>
          <td>* Confirm Email:</td>
          <td><label>
            <input type="text" name="email_confirm" id="email_confirm" value ="<?php echo $_POST['email_confirm'] ?>" />
          </label></td>
        </tr>
        <tr>
          <td>* Access:</td>
          <td>

            <input type="radio" name="level" value="admin" id="admin" <?php if($_POST['level']=='admin') {echo " checked";}?> />
            Admin

            <input type="radio" name="level" value="normal" id="normal_user" <?php if($_POST['level']=='normal') {echo " checked";}?> />
            Staff</td>
        </tr>
      </table>
      <p>
          <input type="submit" name="submit" id="submit" value="Submit" class="button" /> </p>
    </form>

   <?php
   	if($_POST) {
		ob_start();
		$host="localhost"; // Host name
		$username="root"; // Mysql username
		$password=""; // Mysql password
		$db_name="rtl"; // Database name
		$tbl_name="user"; // Table name
		
		// Connect to server and select databse.
		mysql_connect("$host", "$username", "$password")or die("cannot connect");
		mysql_select_db("$db_name")or die("cannot select DB");
		
		$first_name=$_POST['first_name'];
		$last_name=$_POST['last_name'];
		$user_id=$_POST['user_id'];
		$password=$_POST['password'];
		$password_confirm=$_POST['password_confirm'];
		$email=$_POST['email'];
		$email_confirm=$_POST['email_confirm'];
		$level=$_POST['level'];
		
		// To protect MySQL injection (more detail about MySQL injection)
		$first_name = stripslashes($first_name);
		$last_name = stripslashes($last_name);
		$user_id = stripslashes($user_id);
		$password = stripslashes($password);
		$password_confirm = stripslashes($password_confirm);
		$email = stripslashes($email);
		$email_confirm = stripslashes($email_confirm);
		$first_name = mysql_real_escape_string($first_name);
		$last_name = mysql_real_escape_string($last_name);
		$user_id = mysql_real_escape_string($user_id);
		$password = mysql_real_escape_string($password);
		$password_confirm = mysql_real_escape_string($password_confirm);
		$email = mysql_real_escape_string($email);
		$email_confirm = mysql_real_escape_string($email_confirm);
		
		$error=0;
		if($username != NULL && $password != NULL && $email != NULL && $level != NULL) {
			if($password == $password_confirm && $email == $email_confirm) {
				$password = md5($password);
				if($level=="admin")
					$level = 1;
				else
					$level=0;
				mysql_query("INSERT INTO $tbl_name (FirstName, LastName, UserID, Passwd, Email, AccessLevel)
				VALUES ('$first_name', '$last_name', '$user_id', '$password', '$email', '$level')");
				echo "User successfuly added.";
			}
			else {
				if($password != $password_confirm)
					echo "Password must match password confirmation.<br>";
				if($email != $email_confirm)
					echo "Email must match email confirmation.<br>";
				$error=1;
			}
		}
		else {
			echo "Required fields needed.";
			$error=1;
		}
		
		if(!$error) {
			echo "<META HTTP-EQUIV='refresh' content='0;URL=AddUser.php'>";
		}
		
		ob_end_flush();
   }
   ?>

</div>

<!-- Begin Side Column -->
<!-- Begin Footer -->
<?php
echo $layout[1];
?>

</body>
</html>
